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About Me 



► Nadeem Douba 

° Work at Cygnos (http: / /www.cygnos.com ) in 
Ottawa, ON, Canada 

o Certs: GWAPT, GPEN 

° Worked in the InfoSec field for 10+ years. 

° Love (European) football and hacking stuff... 

► Been a Maltego fan-boy since the beginning... 

► Helped port/appify Maltego for Mac OS X © 
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Presentation Overview 



► What is Sploitego? 

► Maltego - Briefly Explained 

► Dive Into Development 

° Before Sploitego 
° After Sploitego 

► Demos 

► Conclusion 

► Questions 
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What is Sploitego? 



► Local Transform Development Framework for 
Maltego written in Python 

► Provides: 

° Rapid transform development 

° Easy transform installation, management, and 
maintenance 

° Complementary scripts and modules for data 
mining and debugging 

° A whole bunch of cool transforms © 




But First... 



► A little background 01 



Maltego... 
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Background 

Maltego Overview 
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What is Maltego? 



► Open Source 
Intelligence (OSInt) 

and forensics 
information 

mining/gathering 

and graphing tool 

► Developed by 

Paterva and 
PinkMatter 
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What is Maltego? - Cont. 



► Information is 
represented on the 
graph as Entities 

► For example, an 
Entity could be: 

° Email Address 
° Image 

° Phone Number 
* Etc. 

► Each Entity has a 
value and optionally 
some fields. 



T Locations 



4 



Location 

A location on Mother Earth 



T Pen etr ati o n Te sti n g 



BuiltWith Technology 
ATechnclcgy identified by BuiltWith 



▼ Personal 
Alias 

An alias for a person 
Document 

A document on the internet 



Email Address 

An email mailbox to which email messages may be delivered 



j Image 

™ A visual representation of something 



i 



1 



Person 

Entity representing a human 

Phone Number 

A telephone number 



^ Ph 



K7i( P 
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What is a Transform? 




paterva.com 




altl.aspmx.Lgoogle.com 



alt2.aspmx.Lgoogle.com 



► Transforms reveal 
relationships 
between entities (or 
information) 

► Logic that mines and 
returns information 

(or Entities) using 
another piece of 
information (or 
Entity) as input 

o T(Eo)->{E„ E 2 , ... EJ 



Maltego Demo 

Just for Clarity 
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What is a Transform? - Cont. 



► Two types of transforms: 

° Remote: runs on a remote Paterva or third-party 
Transform Server. 

° Local: runs on the user's local machine. 

• This is where Sploitego comes in... 
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Remote Transfo 



✓ Paterva's Transforms 

S Awesome!!! 

s Centralized Transforrr 
Management & 
Maintenance 

^Implementation details 
hidden from the user 
(protects your IP) 

✓ Minimal Client-Side 
Processing Overhead 



rms - Pros & Cons 



x Limited Data Visibility 

X i.e. Server can only query 
accessible data. 

x Breach of Privacy 

X OSInt target/subject 
disclosed to a third-party. 

x Limited Client-Side 
Control: 

X Transforms might not be 
evil enough © 
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Local Transforms 



✓ Full Client-side Control 

S No limits as to how 1 337 
or evil your transforms can 

be © 

✓ Privacy 

^OSInt subject may not be 
disclosed to third-party 

✓ Great Data Visibility 

^"The world is one's oyster" 

✓ Extensible 

^Maltego can be used for 
other types of data 
visualization © 



- Pros and Cons 

x Processing Overhead 

X Client's machine 
responsible for running 
transforms 

x Development 

X It's in your hands (or 
somebody else's... just 
delegate ;) 

x IP Disclosure 

X Implementation details no 
longer hidden from users. 

x Difficult to Maintain 
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Local Transform 

Development 

^ The Nitty Gritty 



■1 
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How do Local Transforms Work? 



► Maltego executes a local script or executable 

► Input passed via command line arguments: 

$ ./(tiytransform.sh <value> 
<f ieldname 1 >=<f ieldvalue 1 >#. . .#<f n n >=<fv n > 

► Transform results returned via standard 
output in Maltego XML message format 

° See: 

http://paterva.com/web5/documentation/localTransforms- 
Speclll.pdf for more details 



► Debugging messages returned via standard 
error 




Example - Transform Call 



$ ./t.pl aspmx.l. google. com 
mxrecord . priority=0 

• Note: the bolded property ("MX RecorcT) y 
below, is the entity value (or Display 
Value) 




Example - Transform Message 

iltegoMessage> 
<Malt egoT ran sf o ruRe spo n sette s sage> 
<Entities> 

<En tit y Ty p e="Baltego . IPv4 Add re ss"> 
<Value>0 .8.0. 8</Value> 
<Weig h t> ht> 
<Ad ditio rial Field s> 

<FieId Display Name= 1 'Inter rial" 

fta t c hi rig Rule=^st rict" 
Nat-"ipadd re ss , inter rial 1 .-■ t r u e--./ F iel d> 
< Field Di s play Nane= " Ha rdwa re Address" 

Ma t c hi ngRule^"st ri ct w 

Han "ethemet. hwaddr">88 :08: 00 : 00 : 00 : 00^/Fiel 
</ Additio rial Field 
</Entity> 
</Entities> 
</ Halt egoT ransf oraRe spo n sette s sage> 



Writing a Local 

Transform 

Without Sploitego 
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Local Transform Development 
Checklist 



► Learn Maltego Local Transform Specification 

° XML Messaging 
° Debugging 
° Etc. 

► Develop Transform 

° Input Parsing Logic 
° Data Mining Logic 
° XML Serialization Logic 
° Debugging Facilities 

► Install Transform 

► Configure & Maintain Transform 

► Define Entity in Maltego (Optional) 
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#!/usr/bin/env python 



i=ifrom sys import exit, argv, stderr 
i^l from re import split 

def parseargs{args=argv) : 

Parse arguments for Naltego local transforms*""" 

if len(args) < 3: 

stderr-write( ' usage: ^s <transform> [pa rami ... paramN] <value> [fieldl=value| 

exit (-1 J 

arg_script = args[l] 

arg_field = args [-1] if '=' in args[-l] else None 
arg_ualue = args [-1] if arg_field is None else args [-2] 
arg_param = [] 

if arg_field is None and len(args) > 3; 

arg_param = list (args [2 : -1] ) 
elif arg_field is rot None and len(args) > 4; 
arg_parain = list (args [2: -2 ] ) 

fields = {} 

if arg_f ield is rot None: 

fs = split (r' (7<=[ A \\] )#' , arg_field) 
if fs is rot None: 

fields = diet (map{ lambda x: x. split{ '=' , 1), fs)) 



return arg_script, arg_param, arg_value, fields 



def debug {*args) : 

"""Send debug messages to the Haltego console, ' 
for i in args: 
£l stderr,write( ' D:^s\n 1 % str(i) ) 



if name = ' main ' : 

args, params, value, fields = parsea rgsO 

debug (' Running Hello World! Transform) 

print 1 <Ha 1 1 egoHes s agexHalt egoT ran s f o rmRes pons eHes s a g e> ' \ 

' <EntitiesxEntity Type="maltego . Person"> ' \ 

1 <Value>Hello ^s</ValuexWeight>l</Weight> ' \ 

' < Ad d it ion alField sx/Ad d it ion alField s > ' \ 

1 </En t ityx/En t it iesx/Halt egoT ran s f o rmRes pons eHes s a g e> ' \ 

' </HaltegoHessage> ' % value 

exit( 



rid 



Transform 



47 lines of code for 
a simple transform 

° Not bad... 

° But not great either 

XML is hard-coded 

° Not reusable 

° Debugging 
nightmare! 

° Imagine returning 
1 00+ entities with 
fields © 
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Installing Transforms 




Local Transform Wizard 



New Transform - Configure details 



'+"■■ #i 



Enter the details of the new transform in the fields below 



Display name 



Transform ID 



Input entity type 



Transform set 



To Hello World! 



Description Vou say hello, and I say goodbye! 



f o o barTo Hell o Wo rl d 



Author Jose Bautista 




Person 



(none) 



► Currently Manual 
Process 

° Two-step Wizard per 
Transform 

► Tedious & Prone to 
User Error 

° More Transforms = 
More Configuration = 
Less Time Playing 



Grouping Transforms 



New Transform Set 



Set name Foo Bar Set 



► Have to manually 

i 

create a Transform °°™<*™ 
Set 

► Another dialog box 
somewhere © 

► When does the fun 
begin? 




Sploitego 

Bringing Back the Fun 
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What is Sploitego? 



► Local Transform Development Framework for 
Maltego written in Python 

► Provides: 

° Rapid transform development 

° Easy transform installation, management, and 
maintenance 

° Complementary scripts and modules for data 
mining and debugging 

° A whole bunch of cool transforms © 

► How does it bring back the fun? 




Remember our Checklist? 



✓ Learn Maltego Local Transform Specification 

^XML Messaging 
^Debugging 

✓ Etc. 

✓ Develop Transform 

✓ Input Parsing Logic 

° Data Mining Logic <- This is all you have to take 
care of! - Wawa-wiwa! 

✓XML Serialization Logic 

✓ Debugging Facilities 

✓ Install Transform 

✓ Configure & Maintain Transform 

► Define Entity in Maltego (Optional) <- And 
possibly this... 
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Sploitego Transforms - Packaging 



► Sploitego transforms are simply Python 
Modules within Python Packages 

► Follows traditional Python package directory 
structure: 

° . /setup. py (Python installation script - distutils/ 
setuptools) 

° ./foobar (Package directory) 

° ./foobar/ init .py (Module/package init script) 

° ./foobar/helloworld.py (Transform module) 




Hello World (Revised) Transform 



3 

5 
6 
7 

a 

1G 
11 

12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 



■ 

(=Jfrom sploitego, ma Itego. message import Person, Phrase 

from sploitego-maltego. utils import debug, progress 
glfrom sploit ego- framework import superuser, configure 



(asuperuser 
(aconfigure{ 

label='To Phrase [Hello World]' , 

description^ Returns a phrase entity with the phrase "Hello Word 
u u id s= [ 1 s ploit ego . v2 . Pe rs on ToPh ras e_HelloWo rid 1 ] t 
inputs=[ ( 'Useless 1 , Person ) ], 
debug=True 



) 

def 



dot ransf orm( request , response) : 
prog ress{50) 

debug ( 1 This was pointless ! 1 ) 

prog ressdGG) 

return response +■ Phrase( 1 Hello ^s' % request. value) 



8def onterminatef ) : 
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Additional Steps 



► foobar/ 
init . py must 



contain all 




Dissecting 



he Transform 
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Sploitego Transform - Dissected 



► The dotransform function is the entry point 

► Accepts two parameters: request, and 

response 

► The request object has the following 
properties: 

° value: the Entity display value (string) 

° fields: the Entity fields (dictionary) 

° params: extra parameters that can be parsed by 

optparse 




Sploitego Transform - Dissected - 
cont. 

► The response object is where we populate our 
results 

► dotransform must return the response object 

► response object uses mathematical operators 
to add and remove Entity and UIMessage 
objects 

° E.g. response + Phrase( ( Hi } ) appends a Phrase 
Entity object to the response object 

► Finally, onterminate function is called if 
Maltego interrupts the transform - it is 
optional 




Transform Execution - Meta-data 



► @superuser instructs the dispatcher to run 
the transform as the super-user 

► If a transform is being executed as a non- 
super-user: 

° dispatcher will invoke sudo 

° Prompt user for sudo password 

° If successful, execute the transform using sudo 

° Else, abort execution after three retries 




retaliation Meta-Data 
^configure 



9 

10 
11 

12 
13 
14 



(aconf igure( 

la be 1=' To Phrase [Hello World]', 

description^ Returns a phrase entity with the ph 

u u id s = [ 1 s ploit ego , v2 , Pe rs on ToPh ras e_HelloWo rid 1 

inputs=[ ( 1 Useless ', Person ) ], 

debug=True 

) 



"Hello Word!" 



► 
► 



nstructs mtginstall on how to configure transform in Maltego 
Parameters: 

° label: display label of transform in Maltego 
° description: A brief description 

° uuids: list of universally unique identifiers (or transform descriptor file 
names) 

° inputs: list of tuples containing Transform Set name and Input Entity 
type 

° debug: whether or not debug window should appear in Maltego on 
transform execution 
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retaliation Meta-Data 
^configure - cont. 



9 

10 
11 

12 
13 
14 



(aconf igure( 

la be 1=' To Phrase [Hello World]', 

description^ Returns a phrase entity with the ph 

u u id s = [ 1 s ploit ego , v2 , Pe rs on ToPh ras e_HelloWo rid 1 

inputs=[ ( 1 Useless ', Person ) ], 

debug=True 

) 



"Hello Wordf" 



For example: 

° Transform will appear as To Phrase [Hello World] in 
Maltego GUI 

Will belong to the Useless Transform Set 
Can only be applied to Person type Entities 
Have a unique ID of 

sploitego . v2 . PersonToPhrase_HelloWorld 

A debug window will appear on transform execution 



o 



o 
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Installation Meta-Data - 
^configure - One more Thing. 

► Notice how uuids and inputs are lists 

► mtginstall supports one-to-many relationship 
between transforms and input entity types 

° For example, Hello World Transform could be applied 
to Phrase entities as well 

° Just add another uuid and inputs entry (matching 
order) 




(aconf igure( 

label='To Phrase [Hello World]', 

d escript ion =' Returns a phrase entity with the phrase 
u u id s = [ 1 s ploit ego . v2 . Pe rs on ToPh ras e_H elloWo rid 1 , 

1 s ploit ego . v2 . Ph ras eToPh ras e_H elloWo rid ' ] , 
inputs=[ ( 'Useless 1 , Person ) 

( 1 Useless 1 , Phrase ) ] , 
debug=True 
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Hello World (Revised) - The Stats 



► 24 Lines of Code in Total! 

° Approximately 50% less code! 

° Only SIX (6) lines were "actual" code! 

° The rest were annotations, function signatures, and 
imports 

► Not a single print line in sight! 

► No hard-coded XML! 

► What about installation? 




Managing Transform 

Packages 

Install, Uninstall, Etc. 
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Installing Transforms (Revised) 

► To install a Sploitego transform: 

° First, Install Python package containing transforms 

• distutils or setuptools are great for that! 

° Alternatively, place Python module in Maltego's working 
directory 

° Second, run mtginstall 




Installing Transforms (Revised) - 
Cont. 

► Input Parameters: 

° Hello World Transform is in foobar package 

° Maltego's settings are stored in -/Library/ 
Application\ Support/maltego/v3.1.1/ (on Mac 
OS X) 

° Your transform working directory is ~/ 

► To Install Transform Package, Run: 

$ mtginstall --package foobar --maltego-pref ix 
~/Library/Application\ Support/maltego/v3 .1.1/ 
--working-dir ~/ 




Transform Installer - mtginstall 



1. mtginstall first imports init .py in 

foobar package 

2. Iterates the __all__ special variable to get list 
of modules in package 

3. Loads each module and looks for 
dotransform function annotated with 
@conf igure 

4. Reads installation meta-data and installs transform in 
Maltego accordingly 

a) If Transform Set doesn't exist, it will create it. 

b) Detects name collisions between transforms 
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Uninstalling Transforms 



► To uninstall a Sploitego transform run 
mtguninstall : 

$ mtguninstall --package foobar --maltego-pref ix 
~/Library/Application\ Support/maltego/v3 .1.1/ 

► mtguninstall will remove the transform package 
(Transform Sets and Transforms) from Maltego's GUI 
but not from Python site-package directory 




Demos 

1ft The Fun Stuff 
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Metasploit Integration 

Demo 
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Nmap/Amap Integration 

Demo 
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Scapy Integration 

Demo 
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Extra Utilities 

The Goodies 
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Debugging, Testing, Etc. 

► mtgdebug script prints results in readable 
format 

► mtgsh shell version of mtgdebug - still a 
work in progress 



bitter:^- ndouba$ mtgdebug sploitego. transforms. whatismyip - 
h - MaltegoTransformResponseMess 



h - Entities: 

Entity: {'Type'; 1 maltcgo , IPv4Address 1 } 
h - Value: 0.9.0.0 
- Weight: 1 
* - AdditionalFiclds: 

Field: true { 1 DisplayNama 1 : ■Internal', "Name 1 : 'ipaddrcss.i 
ntcrnal 1 „ 1 MatciiingRul* 1 : 1 strict 1 } 

h - Field: 90:00:00:08:00:00 { 1 DisplayName 1 ; Hardware Address 1 , 
'Name' ; 'cthcrnct. hwaddr 1 . 1 MatchinaRulc ' ; 1 strict 1 



Graph Export Conversion Tools 

► mtgx2csv converts exported Maltego graphs 
to CSV (comma-separated value) format. 

► csv2sheets reads the output of mtgx2csv and 

separates entities of the same type into 
separate CSVs 




CONCLUSIONS 

Last but not Least 



Nadeem Douba | www.cygnos.com 



Project Roadmap 



► Get a website up with some documentation © 

► Create more transforms for: 

° Social Engineering 
° Forensics 
° Exploitation 

° Scanning and Vulnerability Discovery 
° Third-party Tool Integration 
o Etc. 

► Create an online community and transform 
package index for transform developers similar 
to PyPI 

► Develop a context engine 

° Minimize data duplication on graphs 
° Provide transforms with access to full graph 
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Looking for Help! 

► Sploitego needs your help! 

° Developers 

° Transform Gurus 

° Hackers 

° Documenters 

° Website Designers 

° Chefs who deliver to the Ottawa area© 




Contact Info 



► Please feel free to contact me: 

° Email: ndou ba@gmail.com 
° Twitter: @ndouba 
° Skype: nadeem.douba 



Kudos 



► To the Paterva team: 

° Andrew MacPherson (Mohawk) 
° Roelof Temmingh (RT) 

► To the Cygnos & RCGT team (wOOt!) 

► Thank you for attending! 
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Questions 

it) Anyone? 
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